Notifications
Clear all
Topic starter
24/06/2026 5:47 pm
TL;DR: Weak redirect URI validation lets attackers intercept OAuth authorization codes or access tokens and reuse them for account takeover, bypassing passwords and MFA, according to Unosecur. The real failure is trust validation at the application layer, where exact-match redirect controls, PKCE, and token monitoring determine whether a legitimate login becomes a hijacked session.
NHIMG editorial — based on content published by Unosecur: OAuth Token Theft via Redirect Manipulation
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when OAuth redirect validation is too loose?
A: Loose redirect validation allows authorization codes or access tokens to be delivered to attacker-controlled destinations.
Q: Why can OAuth token theft bypass MFA?
A: MFA only proves the user authenticated successfully.
Q: How do security teams know if OAuth sessions are being abused?
A: Look for repeated token redemptions, unfamiliar geolocation, device changes, and abnormal application access immediately after a successful login.
Practitioner guidance
- Enforce exact-match redirect URI allowlists Review every OAuth client registration and remove wildcard, pattern-based, or loosely matched redirect destinations.
- Mandate PKCE and state validation across all flows Apply PKCE to every OAuth implementation, including confidential clients where teams often assume it is unnecessary.
- Monitor token reuse after successful authentication Correlate identity provider logs with application access and proxy telemetry to detect repeated redemptions, unfamiliar geolocation, and device shifts after a valid login.
What's in the full article
Unosecur's full blog covers the operational detail this post intentionally leaves for the source:
- A step-by-step attack flow showing how malicious OAuth links divert authorization responses in real environments.
- Specific detection logic for unusual token redemption, geolocation drift, and application-side anomalies.
- Hardening guidance for exact-match redirect validation, PKCE enforcement, and client registration review.
- Examples of log sources and monitoring points that help distinguish a valid login from a hijacked session.
👉 Read Unosecur's analysis of OAuth token theft via redirect manipulation →
OAuth redirect validation failures: are your controls keeping up?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
25/06/2026 3:43 am
OAuth redirect validation is a trust boundary, not a UI detail. The security model assumes the relying application will only send authorization responses to a pre-approved destination. That assumption fails the moment redirect matching becomes loose, wildcarded, or inconsistent across client types. The implication is that identity governance must treat redirect handling as part of access control design, not as a developer convenience.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly identity blind spots can become operational blind spots.
A question worth separating out:
Q: Who is accountable when OAuth token theft occurs in SaaS applications?
A: Accountability usually sits with both application owners and identity teams because the failure spans client registration, redirect validation, and token governance. Frameworks such as NIST CSF and Zero Trust both expect access pathways to be continuously validated, which includes the OAuth response path, not only the login page.
👉 Read our full editorial: OAuth token theft via redirect manipulation and session hijacking
